From e27b932c171d700fc82617280339727a90dddcee Mon Sep 17 00:00:00 2001
From: Felipe Lessa <felipe.lessa@gmail.com>
Date: Mon, 25 May 2015 18:57:17 -0300
Subject: [PATCH] Add note about J2EE's invalidate.

---
 serversession/src/Web/ServerSession/Core/Internal.hs | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/serversession/src/Web/ServerSession/Core/Internal.hs b/serversession/src/Web/ServerSession/Core/Internal.hs
index 70c62a2..ec6115b 100644
--- a/serversession/src/Web/ServerSession/Core/Internal.hs
+++ b/serversession/src/Web/ServerSession/Core/Internal.hs
@@ -328,6 +328,11 @@ forceInvalidateKey = "serversession-force-invalidate"
 
 
 -- | Which session IDs should be invalidated.
+--
+-- Note that this is not the same concept of invalidation as used
+-- on J2EE.  In this context, invalidation means creating a fresh
+-- session ID for this user's session and disabling the old ID.
+-- Its purpose is to avoid session fixation attacks.
 data ForceInvalidate =
     CurrentSessionId
     -- ^ Invalidate the current session ID.  The current session